اقوي و احدث رولز لـ mode security

#fake server banner - NOYB used - no one needs to know what we are using
SecServerSignature "Modevps.com  security  Apache"

# Check *******-Length and reject all non numeric ones
SecRule REQUEST_HEADERS:*******-Length "!^\d+$" "deny,log,auditlog,msg:'*******-Length HTTP header is not numeric', severity:'2',id:'960016'"

# Do not accept GET or HEAD requests with bodies
SecRule REQUEST_METHOD "^(GET|HEAD)$" "chain,deny,log,auditlog,msg:'GET or HEAD requests with bodies', severity:'2',id:'960011'"
SecRule REQUEST_HEADERS:*******-Length "!^0?$"

# Require *******-Length to be provided with every POST request.
SecRule REQUEST_METHOD "^POST$" "chain,deny,log,auditlog,msg:'POST request must have a *******-Length header',id:'960012',severity:'4'"
SecRule &REQUEST_HEADERS:*******-Length "@eq 0"

# Don't accept transfer encodings we know we don't know how to handle
SecRule HTTP_Transfer-Encoding "!^$" "deny,log,auditlog,msg:'ModSecurity does not support transfer encodings',id:'960013',severity:'5'"

# Check decodings
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateUrlEncoding" 
    "chain, deny,log,auditlog,msg:'URL Encoding Abuse Attack Attempt',id:'950107',severity:'4'"
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})"

# allow request methods
SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" 
    "phase:1,log,auditlog,msg:'Method is not allowed by policy', severity:'2',id:'960032'"

# Restricted HTTP headers 
SecRule REQUEST_HEADERS_NAMES "\.(?:Lock-Token|Translate|If)$" 
    "deny,log,auditlog,msg:'HTTP header is restricted by policy',id:'960038',severity:'4'"

# Session fixation
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "(?:\.معهد الحمايه العربىمعهد الحمايه العربىمعهد الحمايه العربىمعهد الحمايه العربىمعهد الحمايه العربىe\b.*?;\W*?(?:expires|domain)\W*?=|\b***********\W+set-معهد الحمايه العربىمعهد الحمايه العربىمعهد الحمايه العربىمعهد الحمايه العربىمعهد الحمايه العربىe\b)" 
        "capture,ctl:auditLogParts=+E,log,auditlog,msg:'Session Fixation. Matched signature <%{TX.0}>',id:'950009',severity:'2'"

# Basic rules with arbitrary command detection
SecRule REQUEST_URI "\.htgroup"
SecRule REQUEST_URI "\.htaccess"
SecRule REQUEST_URI "cd\.\."
SecRule REQUEST_URI "///cgi-bin"
SecRule REQUEST_URI "/cgi-bin///"
SecRule REQUEST_URI "/~root"
SecRule REQUEST_URI "/~ftp"
SecRule REQUEST_URI "/htgrep" chain
SecRule REQUEST_URI "/\.history"
SecRule REQUEST_URI "/\.bash_history"
SecRule REQUEST_URI "/~nobody"
SecRule REQUEST_URI "<script"
SecRule REQUEST_URI "psybnc"
SecRule REQUEST_URI "cmd=cd\x20/var"
SecRule REQUEST_URI "dir=http"
SecRule REQUEST_URI "\?STRENGUR"
SecRule REQUEST_URI "/etc/motd"
SecRule REQUEST_URI "/etc/passwd"
SecRule REQUEST_URI "conf/httpd\.conf"
SecRule REQUEST_URI "/bin/ps"
SecRule REQUEST_URI "bin/tclsh"
SecRule REQUEST_URI "tclsh8\x20"
SecRule REQUEST_URI "udp\.pl"
SecRule REQUEST_URI "linuxdaybot\.txt"
SecRule REQUEST_URI "wget\x20"
SecRule REQUEST_URI "bin/nasm"
SecRule REQUEST_URI "nasm\x20"
SecRule REQUEST_URI "/usr/bin/perl"
SecRule REQUEST_URI "links -dump "
SecRule REQUEST_URI "links -dump-(charset|width) "
SecRule REQUEST_URI "links (http|https|ftp)\:/"
SecRule REQUEST_URI "links -source "
SecRule REQUEST_URI "cd\x20/(tmp|var/tmp|etc/httpd/proxy|dev/shm)" 
SecRule REQUEST_URI "cd\.\." 
SecRule REQUEST_URI "///cgi-bin" 
SecRule REQUEST_URI "/cgi-bin///" 
SecRule REQUEST_URI "/~named(/| HTTP\/(0\.9|1\.0|1\.1)$)" 
SecRule REQUEST_URI "/~guest(/| HTTP\/(0\.9|1\.0|1\.1)$)" 
SecRule REQUEST_URI "/~logs(/| HTTP\/(0\.9|1\.0|1\.1)$)" 
SecRule REQUEST_URI "/~sshd(/| HTTP\/(0\.9|1\.0|1\.1)$)" 
SecRule REQUEST_URI "/~ftp(/| HTTP\/(0\.9|1\.0|1\.1)$)" 
SecRule REQUEST_URI "/~bin(/| HTTP\/(0\.9|1\.0|1\.1)$)" 
SecRule REQUEST_URI "/~nobody(/| HTTP\/(0\.9|1\.0|1\.1)$)"  
SecRule REQUEST_URI "/\.history HTTP\/(0\.9|1\.0|1\.1)$" 
SecRule REQUEST_URI "/\.bash_history HTTP\/(0\.9|1\.0|1\.1)$"
SecRule REQUEST_URI "lynx "
SecRule REQUEST_URI "Fhome"
SecRule REQUEST_URI "cvs"
SecRule REQUEST_URI "\.php\?phpinfo"
SecRule REQUEST_URI "\.php\?phpini"
SecRule REQUEST_URI "\.php\?mem"
SecRule REQUEST_URI "\.php\?cpu"
SecRule REQUEST_URI "\.php\?users"
SecRule REQUEST_URI "\.php\?tmp"
SecRule REQUEST_URI "\.php\?delete"
SecRule REQUEST_URI "curl "
SecRule REQUEST_URI "echo "
SecRule REQUEST_URI "links -dump-width "
SecRule REQUEST_URI "links http:// "
SecRule REQUEST_URI "links ftp:// "
SecRule REQUEST_URI "links -source "
SecRule REQUEST_URI "cd /tmp "
SecRule REQUEST_URI "cd /var/tmp "
SecRule REQUEST_URI "cd /etc/httpd/proxy "
SecRule REQUEST_URI "&highlight=%2527%252E "
SecRule REQUEST_URI "changedir=%2Ftmp%2F.php "
SecRule REQUEST_URI "arta\.zip "
SecRule REQUEST_URI "cmd=cd\x20/var "
SecRule REQUEST_URI "HCL_path=http "
SecRule REQUEST_URI "clamav-partial "
SecRule REQUEST_URI "vi\.recover "
SecRule REQUEST_URI "netenberg "
SecRule REQUEST_URI "psybnc "
SecRule REQUEST_URI "fantastico_de_luxe "
SecRule REQUEST_URI "2Fpublic_html&"
SecRule REQUEST_URI ".htaccess"
SecRule REQUEST_URI "c99sh_datapipe.pl"
SecRule REQUEST_URI "listDBs"
SecRule REQUEST_URI "%2home%2"
SecRule REQUEST_URI "%2home%"
SecRule REQUEST_URI "%home%"
SecRule REQUEST_URI "%home"
SecRule REQUEST_URI "home%"
SecRule REQUEST_URI "%2Fhome%2"
SecRule REQUEST_URI "%2Fhome%"
SecRule REQUEST_URI "%Fhome%"
SecRule REQUEST_URI "%Fhome"
SecRule REQUEST_URI "Fhome%"
SecRule REQUEST_URI "2Fpublic_html&"         
SecRule REQUEST_URI "/etc/"
SecRule REQUEST_URI "sqlman"
SecRule REQUEST_URI "act=security"         
SecRule REQUEST_URI "act=cmd"
SecRule REQUEST_URI "act=chmod"
SecRule REQUEST_URI "act=ls&d="
SecRule REQUEST_URI "act=f&f="
SecRule REQUEST_URI "act=sql"
SecRule REQUEST_URI "Bcc:" 
SecRule REQUEST_URI "Bcc:\x20" 
SecRule REQUEST_URI "cc:" 
SecRule REQUEST_URI "cc:\x20" 
SecRule REQUEST_URI "bcc:" 
SecRule REQUEST_URI "bcc:\x20" 
SecRule REQUEST_URI "bcc: " 
SecRule REQUEST_URI "cd "
#SecRule REQUEST_URI "id "

# Miscellaneous malicious requests 
# These rules can be very effective, however "general" rules such as the following 
# have issues with false positives in some environments. Comment out as needed. 

#XSS attempts for STYLE, VBSCRIPT, JAVASCRIPT, EXPRESSION, and XML 
SecRule REQUEST_URI "\<IMG.*/\bonerror\b[\s]*=/Ri" 
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/javascript/i" 
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]application\/x-javascript/i" 
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/jscript/i" 
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/vbscript/i" 
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]application\/x-vbscript/i" 
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/ecmascript/i" 
SecRule REQUEST_URI "STYLE[\s]*=[\s]*[^>]expression[\s]*\(/i" 
SecRule REQUEST_URI "[\s]*expression[\s]*\([^}]}[\s]*<\/STYLE>/i" 
SecRule REQUEST_URI "<!\[CDATA\[<\]\]>SCRIPT" 

# For deny Shells opening  
SecRule REQUEST_FILENAME "/(r57shell|TrYaG|TrYg|m0rtix|r0nin|c99shell|phpshell|sa3ekashell|crackit|c777|void\.ru|phpremoteview|directmail|bash_history|\.ru/|brute|c991)\.php" 
SecRule REQUEST_FILENAME "\.pl" 
SecRule REQUEST_FILENAME "perl .*\.pl(\s|\t)*\;" 
SecRule REQUEST_FILENAME "\;(\s|\t)*perl .*\.pl" 
SecRule RESPONSE_BODY "TrYaG" 
SecRule RESPONSE_BODY "shell" 
SecRule RESPONSE_BODY "Sniper" 
SecRule RESPONSE_BODY "SnIpEr_SA" 
SecRule RESPONSE_BODY "c99"  

httpd restart